This is the accessible text file for GAO report number GAO-09-662T
entitled 'Social Security Administration: Effective Information
Technology Management Essential for Data Center Initiative' which was
released on April 28, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Social Security, Committee on Ways and
Means, House of Representatives:
For Release on Delivery:
Expected at 2:00 p.m. EDT:
Tuesday, April 28, 2009:
Social Security Administration:
Effective Information Technology Management Essential for Data Center
Initiative:
Statement of Valerie C. Melvin, Director:
Information Management and Human Capital Issues:
GAO-09-662T:
GAO Highlights:
Highlights of GAO-09-662T, a testimony before the Subcommittee on
Social Security, Committee on Ways and Means, House of Representatives.
Why GAO Did This Study:
The American Recovery and Reinvestment Act of 2009 (Recovery Act)
provides resources to the Social Security Administration (SSA) to help
replace its National Computer Center. This data center, which is 30
years old, houses the backbone of the agency’s automated operations,
which are critical to providing benefits to nearly 55 million people,
issuing Social Security cards, and maintaining earnings records. The
act makes $500 million available to SSA for the replacement of its
National Computer Center and associated information technology (IT)
costs.
In this testimony, GAO was asked to comment on key IT management
capabilities that will be important to the success of SSA’s data center
initiative.
To do so, GAO relied on previously published products, including
frameworks that it has developed for analyzing IT management areas. GAO
has not performed a detailed examination of SSA’s plans for this
initiative, so it is not commenting on the agency’s progress or making
recommendations.
What GAO Found:
For an effort as central to SSA’s mission as its planned new data
center, effective practices in key IT management areas are essential.
For example:
* Effective strategic planning helps an agency set priorities and
decide how best to coordinate activities to achieve its goals. For
example, a strategic plan identifying interdependencies among
modernization project activities helps ensure that these are understood
and managed, so that projects—and thus system solutions—are effectively
integrated. Given that the new data center is to form the backbone of
SSA’s automated operations, it is important that the agency identify
goals, resources, and dependencies in the context of its strategic
vision.
* An agency’s enterprise architecture describes both its operations and
the technology used to carry them out. A blueprint for organizational
change, an architecture is defined in models that describe (in business
and technology terms) an entity’s current operation and planned future
operation, as well as a plan for transitioning from one to the other.
An enterprise architecture can help optimize SSA’s data center
initiative by ensuring that its planning and implementation take full
account of the business and technology environment.
* For IT investment management, an agency should follow a portfolio-
based approach in which investments are selected, controlled, and
monitored from an agencywide perspective. By helping to allocate
resources effectively, robust investment management processes can help
SSA meet the accountability requirements and align with the goals of
the Recovery Act. For example, projects funded under the act are to
avoid unnecessary delays and cost overruns and are to achieve specific
program outcomes. Investment management is aimed at precisely such
goals: for example, accurate cost estimating (an important aspect of
investment management) provides a sound basis for establishing a
baseline to formulate budgets and measure program performance. Further,
the act emphasizes energy efficiency—also a major concern for data
centers, which have high power and cooling requirements. Investment
management tools are important for evaluating the most cost-effective
approaches to energy efficiency.
* Finally, information security should be considered throughout the
planning, development, and implementation of the data center. Security
is vital for any organization that depends on information systems and
networks to carry out its mission—especially for government agencies
like SSA, where maintaining the public’s trust is essential. One part
of information security management is contingency and continuity of
operations planning—vital for a data center that is to be the backbone
of SSA’s operations and service delivery. Data centers are vulnerable
to a variety of service disruptions, including accidental file
deletions, network failures, systems malfunctions, and disasters.
Accordingly, it is necessary to define plans governing how information
will be processed, retrieved, and protected in the event of minor
interruptions or a full-blown disaster.
These capabilities will be important in helping to ensure that SSA’s
data center effort is successful and effectively uses Recovery Act
funds.
View [hyperlink, http://www.gao.gov/products/GAO-09-662T] or key
components. For more information, contact Valerie Melvin at (202) 512-
6304 or melvinv@gao.gov.
[End of section]
Mr. Chairman and Members of the Subcommittee:
I am pleased to be here today to comment on the efforts of the Social
Security Administration (SSA) to use resources provided by the American
Recovery and Reinvestment Act of 2009 (Recovery Act) to replace its
National Computer Center. Among its provisions, the act makes $500
million available to SSA for the replacement of the center and
associated information technology (IT) costs. This data center, which
is 30 years old, houses the backbone of the agency's automated
operations, which are critical to providing benefits to nearly 55
million people, issuing Social Security cards, and maintaining earnings
records.
SSA has stated that it needs to replace the facility to provide more
current processing capabilities and support the current and growing
requirements of a 24-hour a day, 7-day a week electronic service
delivery operation. The agency has decided that building a new facility
will allow it to address limitations in the current facility, such as
power supply and grid problems, as well as the presence of aging water
pipes running in the same area as the equipment wiring. At the same
time, the agency plans to move to more modern database technology to
replace current systems, which still contain about 36 million lines of
COBOL code - a programming language that is generally viewed as
obsolete by the computer industry.
To date, we have not performed a detailed examination of SSA's plans
for this initiative; however, by all indications, this effort is
expected to be a significant undertaking. Accordingly, its success will
depend on how effectively the agency plans and manages the initiative-
-from inception through delivery. Although IT investments can improve
organizational performance, they can also become risky, costly,
unproductive ventures that do not yield intended results. As we have
described in numerous reports and testimonies, federal IT projects too
frequently incur cost overruns and schedule slippages.[Footnote 1]
Our research into IT management best practices and our evaluations of
agency IT management performance have identified essential and
complementary management disciplines that agencies can use to guide
their efforts on major IT endeavors. These are related to key issues
specific to data centers--identified by other research--that can affect
efforts to construct or modernize these facilities. At your request, my
testimony today summarizes selected key management capabilities that
will be important to the success of SSA's data center initiative, and
ties these capabilities to issues associated specifically with data
centers, as well as to meeting the requirements of the Recovery Act.
In developing this testimony, we relied on previously published
products, including frameworks that we have developed for analyzing IT
management areas.[Footnote 2] We also consulted published literature on
data center construction issues and considerations. We conducted our
work in support of this testimony in April 2009.
Background:
SSA projects that its current data center will not be adequate to
support the demands of its growing workload. In fiscal year 2008, SSA's
benefit programs provided a combined total of approximately $650
billion to nearly 55 million beneficiaries.[Footnote 3] According to
the agency, the number of beneficiaries is estimated to increase
substantially over the next decade. In addition, SSA's systems contain
large volumes of medical information, which is used in processing
disability claims. About 15 million people are receiving federal
disability payments, and SSA has been contending with backlogs in
processing disability claims.
According to SSA officials, the agency plans to use a large portion of
the $1 billion in funding that it was allocated by the Recovery Act
primarily to help build a large-scale data center and to develop new
software to reduce the backlog of disability claims. The act provides
$500 million from the stimulus package for data center expenses,
[Footnote 4] of which $350 million is slated for the building
infrastructure and part of the remaining funding for IT-related
upgrades. This is not the entire projected cost: SSA has indicated that
it needs a total of about $800 million to fund a new IT infrastructure,
including the new data center--the physical building, power and cooling
infrastructure, IT hardware, and systems applications.[Footnote 5]
The Recovery Act's goals, among other things, include creating or
saving more than 3.5 million jobs over the next two years and
encouraging renewable energy and energy conservation. According to the
Office of Management and Budget (OMB), the act's requirements include
unprecedented levels of transparency, oversight, and accountability for
various aspects of Recovery Act planning and implementation. These
requirements are intended to ensure, among other things, that:
* funds are awarded and distributed in a prompt, fair, and reasonable
manner;
* the recipients and uses of all funds are transparent to the public,
and the public benefits of these funds are reported clearly,
accurately, and in a timely manner;
* funds are used for authorized purposes and instances of fraud, waste,
error, and abuse are mitigated;
* projects funded under the act avoid unnecessary delays and cost
overruns; and;
* program goals are achieved, including specific program outcomes and
improved results on broader economic indicators.
Attention to Key IT Management Areas Will Help SSA in Its Data Center
Initiative:
An effort as central to SSA's ability to carry out its mission as its
planned new data center requires effective IT management. As our
research and experience at federal agencies has shown,
institutionalizing a set of interrelated IT management capabilities is
key to an agency's success in modernizing its IT systems. These
capabilities include, but are not limited to:
* strategic planning to describe an organization's goals, the
strategies it will use to achieve desired results, and performance
measures;
* developing and using an agencywide enterprise architecture, or
modernization blueprint, to guide and constrain IT investments;
* establishing and following a portfolio-based approach to investment
management; and;
* implementing information security management that ensures the
integrity and availability of information.
The Congress has recognized in legislation the importance of these and
other IT management controls,[Footnote 6] and OMB has issued guidance.
[Footnote 7] We have observed that without these types of capabilities,
organizations increase the risk that system modernization projects will
(1) experience cost, schedule, and performance shortfalls and (2) lead
to systems that are redundant and overlap. They also risk not achieving
such aims as increased interoperability and effective information
sharing. As a result, technology may not effectively and efficiently
support agency mission performance and help realize strategic mission
outcomes and goals.
All these management capabilities have particular relevance to the data
center initiative.
* IT strategic planning. A foundation for effective modernization,
strategic planning is vital to create an agency's IT vision or roadmap
and help align its information resources with its business strategies
and investment decisions. An IT strategic plan, which might include the
mission of the agency, key business processes, IT challenges, and
guiding principles, is important to enable an agency to consider the
resources, including human, infrastructure, and funding, that are
needed to manage, support, and pay for projects. For example, a
strategic plan that identifies interdependencies within and across
modernization projects helps ensure that these are understood and
managed, so that projects--and thus system solutions--are effectively
integrated. Given that the new data center is to form the backbone of
SSA's automated operations, it is important that the agency identify
goals, resources, and dependencies in the context of its strategic
vision.
* Enterprise architecture. An enterprise architecture consists of
models that describe (in both business and technology terms) how an
entity operates today and how it intends to operate in the future; it
also includes a plan for transitioning to this future state. More
specifically, it describes the enterprise in logical terms (such as
interrelated business processes and business rules, information needs
and flows, and work locations and users) as well as in technical terms
(such as hardware, software, data, communications, and security
attributes and performance standards). It provides these perspectives
both for the enterprise's current environment and for its target
environment, as well as a transition plan for moving from one to the
other. In short, it is a blueprint for organizational change. Using an
enterprise architecture is important to help avoid developing
operations and systems that are duplicative, not well integrated,
unnecessarily costly to maintain and interface, and ineffective in
supporting mission goals.
Like an IT strategic plan (with which an enterprise architecture should
be closely aligned), an enterprise architecture is an important tool to
help SSA ensure that its data center initiative is successful. Using an
enterprise architecture will help the agency ensure that the planning
and implementation of the initiative take full account of the business
and technology environment in which the data center and its systems are
to operate.
* IT investment management. An agency should establish and follow a
portfolio-based approach to investment management in which IT
investments are selected, controlled, and monitored from an agencywide
perspective. In this way, investment decisions are linked to an
organization's strategic objectives and business plans. Such an
approach helps ensure that agencies allocate their resources
effectively.[Footnote 8]
In 2008, we evaluated SSA's investment management approach and found
that it was largely consistent with leading investment management
practices.[Footnote 9] SSA had established most practices needed to
manage its projects as investments; however it had not applied its
process to all of its investments. For example, SSA had not applied its
investment management process to a major portion of its IT budget. We
recommended that for full accountability, SSA should manage its full IT
development and acquisitions budget through its investment management
board. We also made several recommendations for improving the
evaluation of completed projects, including the use of quantitative
measures of project success.
Going forward, ensuring that best practices in investment management
are applied to the data center initiative will help the agency
effectively use funds appropriated under the Recovery Act. For example,
projects funded under the act are to avoid unnecessary delays and cost
overruns and are to achieve specific program outcomes and improved
results on broader economic indicators. Robust investment management
controls are important tools for achieving these goals. For example,
developing accurate cost estimates--an important aspect of investment
management--helps an agency evaluate resource requirements and
increases the probability of program success. We have issued a cost
estimating guide[Footnote 10] that provides best practices that
agencies can use for developing and managing program cost estimates
that are comprehensive, well-documented, accurate, and credible, and
that provide management with a sound basis for establishing a baseline
to formulate budgets and measure program performance. The guide also
covers the use of earned value management (EVM), a technique for
comparing the value of work accomplished in a given period with the
value of the work expected.[Footnote 11] EVM metrics can alert program
managers to potential problems sooner than tracking expenditures alone.
Finally, the Recovery Act emphasizes the importance of energy
efficiency and green building projects. Applying rigorous investment
management controls to the planning and implementation of the data
center design will help SSA determine the optimal approach to aligning
its initiative with these goals. Because of the large power
requirements and the heat generated by the equipment housed in data
centers, efficient power and cooling are major concerns, particularly
in light of evolving technology and increasing demand for information.
To optimize their power and cooling requirements, agencies need to
quantify cooling requirements and model these into data center designs.
Such considerations affect the choice of locations for a new data
center, facility requirements, and even floor space designs. Ways to
improve energy efficiencies in data center facilities could include
such cost-effective practices as reducing the need for artificial light
by maximizing the use of natural light and insulating buildings more
efficiently. For example, installing green (planted) roofs can insulate
facilities and at the same time absorb carbon dioxide.
* Information security. For any organization that depends on
information systems and computer networks to carry out its mission or
business, information security is a critical consideration. It is
especially important for government agencies like SSA, where
maintaining the public's trust is essential. Information security
covers a wide range of controls, including general controls that apply
across information systems (such as access controls and contingency
planning) and business process application-specific controls to ensure
the completeness, accuracy, validity, confidentiality, and availability
of data.[Footnote 12]
For the data center initiative, security planning and management will
be important from the earliest stages of the project through the whole
life cycle. In today's environment, in which security threats are both
domestic and international, operational and physical security is
required to sustain the safety and reliability of the data center's
services on a day-to-day basis. An agency needs to have well-
established security polices and practices in place and provide
periodic assessments to ensure that the information and the facility
are protected. Organizations must design and implement controls to
detect and prevent unauthorized access to computer resources (e.g.,
data, programs, equipment, and facilities), thereby protecting them
from unauthorized disclosure, modification, and loss. Specific access
controls could include means to verify personnel identification and
authorization.
Further, because a data center is the backbone of an organization's
operations and service delivery, continuity of operations is a key
concern. Data centers need to be designed with the ability to
efficiently provide consistent processing of operations. Even slight
disruptions in power can adversely affect service delivery. Data
centers are vulnerable to a variety of service disruptions, including
accidental file deletions, network failures, systems malfunctions, and
disasters. In the design of a data center, continuity of operations
needs to be addressed at every level--including applications, systems,
and businesses. An agency needs to articulate, in a well defined plan,
how it will process, retrieve, and protect electronically maintained
information in the event of minor interruptions or a full-blown
disaster. Disaster recovery plans should address all aspects of the
recovery, including where to move personnel and how to maintain the
business operations. Agency leaders need to prioritize business
recovery procedures and to highlight the potential issues in such areas
as application availability, data retention, speed of recovery, and
network availability.
In summary, given the projected increase in beneficiaries and the
exceptional volume of medical data processed, these IT management
capabilities will be imperative for SSA to follow as it pursues the
complex data center initiative.
Mr. Chairman, this completes my prepared statement. I would be pleased
to respond to any questions you or other Members of the Subcommittee
may have.
GAO Contact and Staff Acknowledgments:
If you should have any questions about this statement, please contact
me at (202) 512-6304 or by e-mail at melvinv@gao.gov. Other individuals
who made key contributions to this statement are Barbara Collier,
Christie Motley, and Melissa Schermerhorn.
[End of section]
Footnotes:
[1] For example, GAO, Information Technology: Agencies Need to
Establish Comprehensive Policies to Address Changes to Projects' Cost,
Schedule, and Performance Goals, [hyperlink,
http://www.gao.gov/products/GAO-08-925] (Washington, D.C.: July 31,
2008); DOD Business Systems Modernization: Progress in Establishing
Corporate Management Controls Needs to Be Replicated Within Military
Departments, [hyperlink, http://www.gao.gov/products/GAO-08-705]
(Washington, D.C.: May 15, 2008); and Environmental Satellites: Polar-
Orbiting Satellite Acquisition Faces Delays, Decisions Needed on
Whether and How to Ensure Climate Data Continuity, [hyperlink,
http://www.gao.gov/products/GAO-08-518] (Washington, D.C.: May 16,
2008).
[2] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity (Version 1.1), [hyperlink,
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March
2004); and Information Technology: A Framework for Assessing and
Improving Enterprise Architecture Management (Version 1.1), [hyperlink,
http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: Apr. 1,
2003).
[3] SSA provides financial assistance to eligible individuals though
three major benefits programs: Old-Age and Survivors Insurance provides
benefits to retired workers and their families and to survivors of
deceased workers. Disability Insurance provides benefits to eligible
workers who have qualifying disabilities, and their eligible family
members. Supplemental Security Income provides income for aged, blind,
or disabled individuals with limited income and resources.
[4] The remaining $500 million is to be used for processing disability
and retirement workloads, including IT acquisitions.
[5] The new data center is in addition to an estimated $72 million
backup facility that is being constructed in Durham, North Carolina.
[6] The Clinger-Cohen Act of 1996 (40 U.S.C. §§11101-11703) for
example, provides a framework for effective IT management that includes
systems integration planning, human capital management, and investment
management. In addition, the Paperwork Reduction Act (44 U.S.C. §§3501-
3521, Pub. L. 104-13, May 22, 1995) requires that agencies have
strategic plans for their information resource management. Software
Engineering Institute, CMMI for Acquisition, Version 1.2, CMU/SEI-2007-
TR-017 (Pittsburgh, PA: November 2007).
[7] For guidance on integrated IT modernization planning and investment
management, see OMB, Management of Federal Information Resources,
Circular A-130 (Washington, D.C., Nov. 28, 2000) and Planning,
Budgeting, Acquisition, and Management of Capital Assets, Circular A-
11, Part 7 (Washington, D.C., July 2003).
[8] [hyperlink, http://www.gao.gov/products/GAO-04-394G].
[9] GAO, Information Technology: SSA Has Taken Key Steps for Managing
Its Investments, but Needs to Strengthen Oversight and Fully Define
Policies and Procedures, [hyperlink,
http://www.gao.gov/products/GAO-08-1020] (Washington, D.C.: Sept. 12,
2008).
[10] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for
Developing and Managing Capital Program Costs, [hyperlink,
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009).
[11] OMB requires agencies to use EVM in their performance-based
management systems for the parts of an investment in which development
effort is required or system improvements are under way.
[12] GAO, Federal Information Systems Controls Audit Manual (FISCAM),
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.:
February 2009).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: